INTERNAL AUDITORS have always had to play detective to some degree as they sort through data and piece together facts. Today, with threats to computer systems coming from all over the globe instead of from just within organizations, many auditors have to think like federal law enforcement and intelligence agents as well. Cyber-crime has moved information security considerably higher on the priority list for many organizations. Online fraud is one of the criminal threats that businesses are increasingly finding a need to protect against. For auditors, this trend means a growing need to help the organization track down cyber- criminals and to learn how to stop Internet-based fraud before it happens. Auditors might not have famed Hollywood spy James Bond's high-tech gadgets at their disposal, but there are tools they can use in the battle. The first is knowledge. "Auditors need to understand that there has been a change in the paradigm of how business is being conducted and how information is being stored, and they need to be aware of the cyber-threat," says Howard Cox, acting deputy general counsel with the Office of Inspector General, U.S. Postal Service, and part of a group that conducts IT audits of postal computer systems. "If you don't recognize that the threat is out there, you can't protect yourself against it." To recognize the threat, auditors must have a firm grasp of the technology and risk issues behind the problem, says Alan Oliphant, an information security and audit consultant in Edinburgh, Scotland. "The majority of auditors still lag behind the fraudsters when it comes to understanding cyber- fraud." DEFINING THE PROBLEM Cyber-fraud has been a threat to organizations since the early 1990s, when business networks began connecting to the Internet. It can affect any organization that uses the Web, from the largest corporation or government to the smallest mom-and-pop business, says Bill Jennings, director of the Financial Services Group for Kroll Risk Consulting's Central Region. Internet connections have been cited for the fourth year in a row as the most frequent point of attack for cyber-crime by the 2001 Computer Crime and Security Survey conducted by the Computer Security Institute (CSI) and the U.S. Federal Bureau of Investigation. The proportion of survey respondents who reported this vulnerability rose from 59 percent in 2000 to almost 70 percent in 2001. In addition, the financial toll from computer crimes and security breaches is continuing to escalate. In fact, 64 percent of the 538 computer security professionals surveyed from public and private organizations in the United States acknowledged financial losses from computer breaches. A substantial proportion of these losses was attributed to financial fraud. Although there are numerous potential sources of internet-related fraud, the most common, according to Cox, are: * Internal employees who use the Internet to anonymously gain access to data that is not related to their jobs and then misuse it for personal gain, compromising the organization's security. These people usually are about to be fired or are unhappy in their jobs. * Disgruntled contractors whose computer systems are linked to the victim organization's computer systems. These offenders generally are unhappy with the contractor relationship and want to steal sensitive data, possibly to sell to competitors. * External third parties, or hackers. These can range from an organization's business competitors to foreign governments to organized crime rings stealing sensitive data such as customer credit card information. The perpetrators of these cyber-crimes have one thing in common: They want to compromise systems, steal data, or divert data. The reasons are diverse, says Cox, whose group conducts criminal investigations into hacking and hackers, but there aree primary motivations for using the Internet to commit fraud. One, the Web is tapped into so many potential sources of money, as more and more financial transactions are conducted online. Two, the Internet is the perfect venue for criminals to act anonymously because there are so many ways of covering up identity. And three, new laws have made obsolete some internal controls auditors have relied on in a traditional environment. For example, suppose an auditor is looking at a claim submitted to a company about a document he or she thinks the company never received, such as a receipt from a credit card transaction. In a paper world, the auditor would follow the paperwork and seek an original document with a signature. Today, U.S. law allows organizations to accept signed documents over the computer instead of in writing. This scenario represents one of the most important controls that is compromised by use of the Internet, says Oliphant, a frequent industry speaker on the subject of cyber-fraud. There is little or no physical evidence of transactions, such as credit card purchases, that take place on the Web. "With a physical transaction in a shop, some form of signature on paper will be available for forensic examination should a transaction be suspect," Oliphant says. "In cyberspace, there is a stronger element of trust." If a company's auditors believe a claim is false and they want to pursue the case, their challenge is to determine the identity of the person who hit the transmit button on the computer that sent the document. This situation poses four problems for many organizations that are not equipped to handle it, Cox says: * No proof of who sent the document.